vscode: Problem Updating VS Code - Blocked By AppLocker Due To Insufficient Information In Update Executable

Issue Type: Bug

I am seeing an update for Visual Studio Code. In our environment, we have whitelisted the following:

Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Product Name: VISUAL STUDIO CODE
File name and File Version: *

However, when an update attempts to install, it appears to run a .tmp file as an EXE. However, this file has no product name associated with it and hence cannot run. Note that not all Microsoft signed products are allowed in this environment since there are some products we don’t want users to be able to run/execute. Can we get these update files to also include a Product Name in the signature, ideally “VISUAL STUDIO CODE”, or something static that doesn’t change that we can whitelist?

Here is the error produced when attempting to run this update (I have removed the personal information):

Log Name:      Microsoft-Windows-AppLocker/EXE and DLL
Source:        Microsoft-Windows-AppLocker
Event ID:      8004
Task Category: None
Level:         Error
Keywords:      
Description:
%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-PUPV1.TMP\CODESETUP-STABLE-51B0B28134D51361CF996D2F0A1C698247AEABD8.TMP was prevented from running.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" />
    <EventID>8004</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <EventRecordID>20593012</EventRecordID>
    <Correlation />
    <Execution ProcessID="22100" ThreadID="23936" />
    <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
  </System>
  <UserData>
    <RuleAndFileData xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
      <PolicyNameLength>3</PolicyNameLength>
      <PolicyName>EXE</PolicyName>
      <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId>
      <RuleNameLength>1</RuleNameLength>
      <RuleName>-</RuleName>
      <RuleSddlLength>1</RuleSddlLength>
      <RuleSddl>-</RuleSddl>
      <TargetProcessId>21196</TargetProcessId>
      <FilePathLength>116</FilePathLength>
      <FilePath>%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-PUPV1.TMP\CODESETUP-STABLE-51B0B28134D51361CF996D2F0A1C698247AEABD8.TMP</FilePath>
      <FileHashLength>32</FileHashLength>
      <FileHash>5EF92093632A6169A704045D1925E0AC4382B311FDE22FAF8242454A24D7AFCB</FileHash>
      <FqbnLength>69</FqbnLength>
      <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\51.1052.0.00</Fqbn>
      <TargetLogonId>0x632748</TargetLogonId>
    </RuleAndFileData>
  </UserData>
</Event>

VS Code version: Code 1.31.1 (1b8e8302e405050205e69b59abb3559592bb9e60, 2019-02-12T02:20:54.427Z) OS version: Windows_NT x64 10.0.17134

System Info

Item	Value
CPUs	Intel® Core™ i7-7700 CPU @ 3.60GHz (8 x 3600)
GPU Status	2d_canvas: enabled checker_imaging: disabled_off flash_3d: enabled flash_stage3d: enabled flash_stage3d_baseline: enabled gpu_compositing: enabled multiple_raster_threads: enabled_on native_gpu_memory_buffers: disabled_software rasterization: enabled surface_synchronization: enabled_on video_decode: enabled webgl: enabled webgl2: enabled
Memory (System)	31.89GB (17.54GB free)
Process Argv
Screen Reader	no
VM	0%

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 21 (9 by maintainers)

Commits related to this issue

add ProductName to inno setup uninstaller fixes #73805 — committed to microsoft/vscode by joaomoreno 4 years ago

Most upvoted comments

@joaomoreno No sorry, Inno Setup 5 used (really) old compilers and I can no longer build it.

Let me know if you need help updating to version 6 but I think it shouldn’t be too much of a problem. The compiler will recommend some changes but you could ignore those.

Note that version 6 contains changes specifically made because of the vscode script which enables you to simplify it:

You can use {autopf} instead of using ISPP to switch between {pf} and {userpf}.
You can use HKA instead of using ISPP to switch between HKCU and HKLM.
You can use a single AppId instead of having two. This allows to user to choose the install mode at runtime and allows you to get rid of the conflicting architectures checks in the vscode script. Although I suppose it’s some work to switch to this while still being backward compatible with existing installations. If you choose to keep having two AppId’s you can still use {autopf} and HKA.
ISPP array variables declared with #dim can now be initialized directly, like #dim MyArray[3] {1, 2, 3}. You can use this to replace the massive amount of lines related to extensions to use an array and a #sub. I actually started preparing a pull request for this a while ago but was unsuccesfull because there’s many inconsistenties in the way the various extensions are currectly registered by the vscode script.

There’s other reasons why you should update as well, like a more modern look, the use of more user friendly TaskDialog prompts in some places and improved protection against DLL hijacking, and more. After all, 5.6.1 is over two years old 😉

BTW I also noticed your IsNotUpdate and WizardNotSilent functions. You can get rid of those since you can for example just write: Check: not WizardSilent.

martijnlaan on Jul 7, 2020

@aakash-shah Thanks for the very detailed explanation. I’ll take a shot at this in July: https://stackoverflow.com/questions/47397961/inno-setup-uninstaller-versioninfo

joaomoreno on Jul 3, 2020

It is a perfectly valid applocker configuration to whitelist applications by digital signature and allow them to be run from writable folders. The signature ensures they have not been modified. (I’m not saying this is good or bad. I’m just saying it’s valid.)

Unless someone working on vscode found and fixed the bug separately from this github issue, one of the temp files is actually being incorrectly signed. That should be fixed, regardless of whether the updates are handled by background services or by the user.

buckley310 on Apr 18, 2020

Unfortunately I’m not sure we can customize the generated tmp file from Inno Setup… The product name is simply empty?

Correct. Here are the file details of the file being blocked when attempting to run the update (it shows no Product Name:

PS C:\> (Get-Item 'C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp').VersionInfo | Format-List *

FileVersionRaw     : 51.1052.0.0
ProductVersionRaw  : 0.0.0.0
Comments           : 
CompanyName        : 
FileBuildPart      : 0
FileDescription    : Setup/Uninstall
FileMajorPart      : 51
FileMinorPart      : 1052
FileName           : C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp
FilePrivatePart    : 0
FileVersion        : 51.1052.0.0
InternalName       : 
IsDebug            : False
IsPatched          : False
IsPrivateBuild     : False
IsPreRelease       : False
IsSpecialBuild     : False
Language           : Language Neutral
LegalCopyright     : 
LegalTrademarks    : 
OriginalFilename   : 
PrivateBuild       : 
ProductBuildPart   : 0
ProductMajorPart   : 0
ProductMinorPart   : 0
ProductName        : 
ProductPrivatePart : 0
ProductVersion     : 
SpecialBuild       :

Compare this to for instance to code.exe of VS Code that has a Product Name:

PS C:\> (Get-Item "C:\Program Files\Microsoft VS Code\Code.exe").VersionInfo | fl *

FileVersionRaw     : 1.31.1.0
ProductVersionRaw  : 1.31.1.0
Comments           : 
CompanyName        : Microsoft Corporation
FileBuildPart      : 1
FileDescription    : Visual Studio Code
FileMajorPart      : 1
FileMinorPart      : 31
FileName           : C:\Program Files\Microsoft VS Code\Code.exe
FilePrivatePart    : 0
FileVersion        : 1.31.1
InternalName       : electron.exe
IsDebug            : False
IsPatched          : False
IsPrivateBuild     : False
IsPreRelease       : False
IsSpecialBuild     : False
Language           : English (United States)
LegalCopyright     : Copyright (C) 2019 Microsoft. All rights reserved
LegalTrademarks    : 
OriginalFilename   : electron.exe
PrivateBuild       : 
ProductBuildPart   : 1
ProductMajorPart   : 1
ProductMinorPart   : 31
ProductName        : Visual Studio Code
ProductPrivatePart : 0
ProductVersion     : 1.31.1
SpecialBuild       :

Here is the AppLocker information that is being read by the system for the failing .tmp file being read as a EXE:

PS C:\> (Get-AppLockerFileInformation 'C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp') | fl *

Path      : %OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-A07A3.TMP\CODESETUP-STABLE-A622C65B2C713C890FCF4FBF07CF34049D5FE758.TMP
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,51.1052.0.0
Hash      : SHA256 0x5EF92093632A6169A704045D1925E0AC4382B311FDE22FAF8242454A24D7AFCB
AppX      : False

The text “\\” in the Publisher shows the lack of a product name (the product name would have been between the 2 slashes). For instance here is how code.exe that has a product name looks:

PS C:\> Get-AppLockerFileInformation 'C:\Program Files\Microsoft VS Code\Code.exe' | fl *

Path      : %PROGRAMFILES%\MICROSOFT VS CODE\CODE.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\VISUAL STUDIO CODE\ELECTRON.EXE,1.31.1.0
Hash      : SHA256 0x488A7C781B6E4BF11D45E4EC063CE6AFC81106FD7ACB0A41D3DCD2D440A7596B
AppX      : False

Note that whatever mechanism is producing this file, it is producing a digitally signed file. Hence, if it’s able to sign the file, I would imagine it should be possible to add a product name to these setup EXE file.

I have attached the file in question as a Zip file (since .tmp files were not permitted) in case it helps troubleshoot this. CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.zip

Please let me know if I can provide any other information.

Thanks!

aakash-shah on May 31, 2019